Overview

overview

10

Static

static

PO#3459.jpg.exe

windows7_x64

10

PO#3459.jpg.exe

windows10-2004_x64

10

PO#68732.png.exe

windows7_x64

10

PO#68732.png.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf6acf9276de65e04d6317c7c651a9b2ec3aa60528421fbb585ab48bfda428b2

  • Size

    1.2MB

  • Sample

    220520-3we2waceam

  • MD5

    250ebbe12051c356ba4802f4bb93a42a

  • SHA1

    82f7ad715c253bb6335eb22046b287e1e1d21bb7

  • SHA256

    bf6acf9276de65e04d6317c7c651a9b2ec3aa60528421fbb585ab48bfda428b2

  • SHA512

    5e767bc6b55564734909326b89782ebe86eb7f40b39ed903f4b3bdebe3ef337a0cebd0fc35fcd39984174ecc6c3d7b41598402b975cadc10729432dcd3f44a2c

Score
10/10
agentteslamassloggeragilenetcollectionkeyloggerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kaysarplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abdullah123

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
<|| v2.2.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 6:03:09 AM MassLogger Started: 5/21/2022 6:03:02 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| USB Spread ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.kaysarplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abdullah123

Targets

    • Target

      PO#3459.jpg.exe

    • Size

      703KB

    • MD5

      518090e39e06e5f3efcebcdf9404183d

    • SHA1

      c47e0de5fe58346e3575aab0bbb8af3a638f04c6

    • SHA256

      006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7

    • SHA512

      ea436927dfd75d312e96cd8afcd7e8e274d31f9c04d72d1742a323a1a65417b59a04fffd720ed4655730b34cfb48d78d4fa37f3f5e0f3652f003e720dc13cb5b

    Score
    10/10
    agentteslaagilenetkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PO#68732.png.exe

    • Size

      2.8MB

    • MD5

      8f12c0c6c1854dae382473bfe77019f7

    • SHA1

      44d776b496ba926e48d5b5def8eeaaab6d64feb8

    • SHA256

      7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510

    • SHA512

      53b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c

    Score
    10/10
    agentteslamassloggeragilenetcollectionkeyloggerpersistenceransomwarespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks